Analysis Overview
SHA256
9a968d2448af89f2dae0d887c794857fe68bf005b011aa62b41e29b305d281ae
Threat Level: Known bad
The file 7-Sept-7964396133.zip was found to be: Known bad.
Malicious Activity Summary
GootLoader
Blocklisted process makes network request
Script User-Agent
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-07 11:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-07 11:55
Reported
2022-09-07 12:00
Platform
win10-20220812-en
Max time kernel
50s
Max time network
167s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\710f2efbe32f719f6d3be0830b598aed5e5ce7aecd37bf1fda3ebe11e5737eba.js
Network
| Country | Destination | Domain | Proto |
| US | 104.208.16.89:443 | tcp | |
| NL | 104.110.191.140:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-07 11:55
Reported
2022-09-07 12:00
Platform
win10-20220901-en
Max time kernel
218s
Max time network
220s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ad85754eee8b72117792559d9a4cb1f5c5e9899a0d91664a60fd0e93d7fdfc4d.js
Network
| Country | Destination | Domain | Proto |
| US | 13.89.179.10:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.97.80.9:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.96.244.210:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.91.178.75:443 | www.lukeamiller.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-07 11:55
Reported
2022-09-07 12:00
Platform
win10-20220812-en
Max time kernel
286s
Max time network
288s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Greater_western_water_enterprise_agreement (fbd).js"
Network
| Country | Destination | Domain | Proto |
| US | 52.168.112.66:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.98.47.14:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.87.105.164:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.84.214.193:443 | www.lukeamiller.net | tcp |